Print Page - Help needed trying to route traffic from a subnet through a VPN client

Title: Help needed trying to route traffic from a subnet through a VPN client
Post by: nununo on August 30, 2019, 07:38:45 PM

Hi,

What I need:
I have several subnets defined in my OPNSense and need one of them to access the Internet through a VPN client instead of through the default gateway.

I also found a tutorial for OPNSense+NordVPN but it routes all traffic through the VPN. I just want to route one of the subnets. The rest must remain unchanged.

What I did:
After reading a lot from OPNSense's docs and some online tutorials (some specific to pfSense) I gave it a try:

Created a client to my VPN provider and connected it successfully;
Created a new interface WANVPN assigned to the VPN client;
(OPNSense automatically created two new Gateways called WANVPN_VPN4 and WANVPN_VPN6. I disabled the latter.);
Created a new VLAN type interface with VLAN=4 with parent interface LAN;
Created a new interface called LANVPN assigned to the new VLAN with address 10.0.4.1/24;
Changed NAT outbound mode to manual and created manual rules to keep the same behaviour as before except for the LANVPN interface;
Added NAT outbound rule on interface WANVPN with source address LANVPN net;
Added Firewall rule to interface WANVPN to let any traffic pass coming from LANVPN net
Added Firewall rule to interface LANVPN to let all traffic pass and in the Gateway I chose WANVPN_VPNV4;

This is it. But somehow it is not working properly.

The problem:
A computer in this subnet 10.0.4.1/24 can successfully ping 10.0.4.1 but when it tries to ping google.com this happens:

Code Select

PING google.com (216.58.201.174): 56 data bytes
64 bytes from 10.0.4.1: icmp_seq=0 ttl=64 time=1.177 ms
64 bytes from 10.0.4.1: icmp_seq=1 ttl=64 time=2.376 ms
64 bytes from 10.0.4.1: icmp_seq=2 ttl=64 time=2.009 ms
64 bytes from 10.0.4.1: icmp_seq=3 ttl=64 time=1.850 ms

Notice how DNS is able to find google.com IP but then it actually tries to ping 10.0.4.1.

And this is where I get lost. For sure I'm missing something or doing something wrong, but what? I'm not so sure about the Firewall rules I added in both LANVPN and WANVPN. I specially wonder why the interface WAN has an automatically generated rule called "let out anything from firewall host itself (force gw)" while the new interface WANVPN doesn't.

Any help is welcome.

Thanks in advance,
Nuno

OPNsense Forum

English Forums => General Discussion => Topic started by: nununo on August 30, 2019, 07:38:45 PM